Slashdot Mirror
In Encryption Push, Chrome Flags HTTP Sites as 'Not Secure' (zdnet.com)
On Tuesday, Chrome started marking sites that don't use HTTPS as "not secure." From a report: First announced two years ago, Google said it would flag any site that still uses unencrypted HTTP to deliver its content in the latest version of Chrome, out Tuesday. It's part of the company's years-long effort effort to gradually nudge more webmasters and site owners into adopting HTTPS, a secure encryption standard for data in transit. Any site that doesn't load with green padlock or a "secure" message in the browser's address bar will be flagged -- and shamed -- as insecure.
[...] According to nightly data compiled by security experts Troy Hunt and Scott Helme, roughly 100 of the top 500 websites are still serving their pages over unencrypted HTTP -- all of which will today be flagged as "insecure." Many of those sites -- like Baidu, JD.com, and Google.cn -- are Chinese language sites, but many popular Western sites -- including BBC.com, DailyMail.co.uk, and Fedex.com -- are HTTP. Of the top million sites, a little over half do not redirect to HTTPS. Chrome 68 also brings with it Page Lifecycle API, and the Payment Handler API. From a report: The Payment Handler API builds on the Payment Request API, which helped users check out online. The new API enables web-based payment apps to facilitate payments directly within the Payment Request experience, as seen above. As with every version, Chrome 68 includes an update to the V8 JavaScript engine: version 6.8. It reduces memory consumption as well as includes improvements to array destructuring, Object.assign, and TypedArray.prototype.sort. Check out the full list of changes for more information.
[...] According to nightly data compiled by security experts Troy Hunt and Scott Helme, roughly 100 of the top 500 websites are still serving their pages over unencrypted HTTP -- all of which will today be flagged as "insecure." Many of those sites -- like Baidu, JD.com, and Google.cn -- are Chinese language sites, but many popular Western sites -- including BBC.com, DailyMail.co.uk, and Fedex.com -- are HTTP. Of the top million sites, a little over half do not redirect to HTTPS. Chrome 68 also brings with it Page Lifecycle API, and the Payment Handler API. From a report: The Payment Handler API builds on the Payment Request API, which helped users check out online. The new API enables web-based payment apps to facilitate payments directly within the Payment Request experience, as seen above. As with every version, Chrome 68 includes an update to the V8 JavaScript engine: version 6.8. It reduces memory consumption as well as includes improvements to array destructuring, Object.assign, and TypedArray.prototype.sort. Check out the full list of changes for more information.
All of this is pointless as long as we encourage corp IT firewall admins to completely break https with their MitM proxies that use fake wildcard certs and bogus CAs as part of a GP push.
Everyone writes about google chrome 68 released today but so far google didn't release 68 version. Just checked official google servers for google chrome (linux version). Stable is still 67.
I'm a big firefox lover but I also build websites, GIMME GIMME!
For years I have been commenting on the way that browsers treat self signed certificates, it was always ridiculous and inconsistent. Sites with self signed certs were treated as if they were hacked by definition while HTTP traffic was not marked as insecure at all. At least at this point there will be some consistency to the way that HTTP and celf signed certificates are treated.
You can't handle the truth.
They're not wrong.
I'd be very concerned if any site I used for monetary purposes wasn't using HTTPS.
On the other hand, sites providing data services like streaming or news probably don't need to encrypt anything.
I mean it's not like the old days when you had to bolt on a hardware encryption module. HTTPS is pretty easy, and with modern processors not much of a burden.
Thanks, Google, for breaking the internet.
Misusing your power (client & server) to push people around and to shape a landscape favoring your business and nothing else. You are finishing the nightmare Microsoft tried to realize.
Assholes.
Most web sites don't need https. Most web sites don't take payments, don't transmit user data, etc.
Bbc.com doesn't need encryption. My business site which doesn't take payments or allow user accounts does not need encryption. It's a wall of text and pictures.
Google acting like the entire world needs this is incredibly stupid.
I already have to use Firefox to access firewalls because Google decided that "go to the site anyway goddammit" just means "allow traffic for 2 minutes, and then complain about the certificate again. And again. And again"
Now it's going to scare people for no reason. Screw them
More than half the websites in the world use Let's Encrypt certificates. Far too many websites use one of Google's script or font resources. Chrome's market share is approaching two thirds. Seven percent of all websites are accessed through Cloudflare's proxies.
I'd be very concerned if any site I used for monetary purposes wasn't using HTTPS. On the other hand, sites providing data services like streaming or news probably don't need to encrypt anything.
Yes!
for 90% of the stuff I browse on the web, I don't need https. I really don't care who sees the cat pictures I look at.
https should be saved for pages that actually need encryption
Now with the end of net neutrality. Your ISP might soon start adding adds to your content if it isn't encrypted.
The real reason behind this move is to secure Google's ad revue. If everything is HTTPS then nobody in the middle can inject or alter HTML ads into your browsing experience. This is the same reason why Chrome uses Google's DNS server 8.8.8.8. If you type in a non-existent domain google wants to redirect you to a google search page, rather than something ISP's DNS server will direct you to. The more Google can control your browser front end experience, and where you are going, the more control they have over the Internet. Security for the user in this case is just a side affect.
I have to wonder if we lockup all websites as viewable only via SSL - does that limit access to anything (historical) ? Alright - time to through away the crap, we can't keep everything.
Why is bbc.com insecure because it uses HTTP? I understand why mybank.com would be insecure. I'm worried well lose something valuable when Chrome et al block (some day in the future) all of HTTP.
Besides - it's only a matter of time before hackers move to SSL attacks. When the low hanging HTTP fruit is all gone, SSL looks very appetizing.
This is just Google making sure you HAVE to see their ads.
Google is the company that used to claim they wouldn't be evil. They quite publicly gave up on that.
Now Chrome can do web controlling actions like security extortion. the next step will be making only google approved certificates complete with extortionate prices will be marked as secure. Join the resistance, get one of the xul trio of browsers Waterfox Pale Moon or Basilisk.
in their recent versions, I've seen this break many intranet sites behind all kinds of VPNs and firewalls, forcing you to have to go through the pointless exercise of confirming the exceptions every single time.
I think you mean Self cyned sertificates.
The entire concept of certificate "authorities" is already fundamentally broken by design. (Kinda obvious, given the "argument from authority" fallacy.)
I can not trust an organization that happens to host a website, but I'm supposed to trust an organization that happens to be a CA? Because the browser maker said so? Whose trustworthiness is not established either, by the way.
If you want at least some trust, you either have to BE the CA (like with my own servers), or meet and get to know the person *personally*. Everything else is just hearsay, and of comparable trustworthiness to whatever you receive when you send out an unencrypted HTTP request to a random unknown domain.
By social engineers.
Their metric specifically mentions redirecting. One of the sites that I manage is an antique auto parts store. There is still a large fraction of our customers using Windows 98 era PCs. Due to this, automatic redirects from HTTP to HTTPS are disabled, so they can still browse the catalog and call us on the phone to order. Bots testing this site would notice the lack of redirection. However, modern browsers pass in some new additional headers which mention some HTTPS capabilities, and *IF* these headers are available, automatic redirection happens (since we know the client will be on a browser which supports the proper TLS version)
I'm sure several of these other sites are using a similar approach. I just personally tested FedEx.com, and it is properly redirecting from HTTP to HTTPS in an up-to-date browser. So odds are that these bots testing these sites are not fully supplying all the same headers that browsers do.
But there is an unstable version. Which, if it is anything like most open source software, is already quite stable.
The text on duck.com is significantly more informative than I expected.
I'm a good cook. I'm a fantastic eater. - Steven Brust
This kind of silliness wasn't what the web was designed for. The web was designed for the free dissemination of free information. Encryption and security are bolted-on hacks that not only don't work very well, but aren't at all in keeping with the original intent of the Web (or the whole Net, for that matter).
I don't see any reason most web sites need to be encrypted.
I don't respond to AC's.
There are some plenty of internal-only web sites that have zero need to be encrypted (for many reasons) that are going to be if theyâ(TM)re not already by this Google âoesolutionâ to an overstated problem.
some of my developers friends still don't redirect from http to https on any platform
or language even though we have perfectly constructed handlers for this job.
is it me or just lazy developers?
i redirect if https is available
Hopefully, though, software updates (such as Windows Update, Apple Update, etc...) will remain unencrypted. I run a network that services some remote communities via satellite, and those things are eminently cacheable (we have a WSUS server for our corporate computers).
Before you get your panties in a twist about that being insecure, the way I recall these things working is that the update client fetches SHA256 sums of the update files via HTTPS, and then downloads the files over HTTP. That way, the updates can be cached locally, but the end user can still be assured that they haven't been tampered with.
...si hoc legere nimium eruditionis habes...
You had security luminaries telling you XP was essentially unhackable. Ed Bott being the loudest luminary.
internal apps / IPMI's don't need certs so why push this?
The upshot of this is that users are going to become accustomed to ignore all such warnings and proceed to the site anyway. Rendering even legitimate warnings basically useless.
The page at Fedex.com where you pick your country is not encrypted IF you have not been there before. After you pick a country it redirects to HTTPS .
Oh. My. God. Somehow might sniff out what country I am in!
LOL, If someone if sniffing out my connection they already have an IP address that gets it to the state level. Silliest complaint ever
Comment removed based on user account deletion
SSL does more than simply encrypt traffic. The biggest benefit of SSL for static web sites or information-only websites is that you can verify that you are connected to the right source. Some people mentioned content tampering and man-in-the-middle attacks, but what about a good old fashioned DNS cache poisoning? With SSL, you're not as susceptible to that type of attack.
This is just a different icon, and a warning message. Many things done by goggle Chrome break my workflows and cause extra work, but a warning I can live with. The sites are indeed less secure than ones with self signed or invalid certs. Maybe users will get that "insecure" isn't bad for everything.
Comment removed based on user account deletion
Comment removed based on user account deletion
Hi all,
If this is supposed to have been a recent thing......I must have had a bleeding-edge beta version of this crap (on work pc, so it actually may have been a possibly policy set by over-protective / SCARED windows IT administrators?) 'Cuz this has been happening since.... around christmas at LEAST.
Either way. Here's the question I have for any of you:
Does anyone know an easy way (as in registry key, chrome setup registry or whatever that advanced options/configuration thing is) to disable redirecting (as soon as a http:// is entered, it replaces http with https on ANY url input)?
Not necessarily just for here at work....but I ran into the same thing on a PC running windows 10 with a recent browser and NEEDED to sniff (using tcpdump) web traffic to reverse engineer a poorly written web viewer application for a very early web-viewable camera (it was a "box camera" type thing, but with an ethernet port where the BNC video out port should have been...)
I personally don't install new web browsers unless I have to. And to this day, most sites work fine without issue using a VERY old browser that was based on Mozilla/firefox (it's called k-meleon), the only issue I usually see if there's an issue at all is the "YOUR BROWSER IS OUTDATED!" message. I ignore that b___s__t like any other person from the oldschool. I still run a p3 1000mhz w/ 512 mb ram, with the same install of XP that I had on it in 2005. And it boots up (from an off state) faster than most people's computers running recent versions windows (I'm not joking, probably YOURS too!). I've got tons of more recent hardware, but I'm not sold on it actually being that much faster for what I am using it for.
Thanks !
How about Chrome finally taking my word for it when I tell it I trust a particular cert even if it isn't officially signed by some entity I have never heard of.
Meanwhile, if it's so important, why do they make it a pain in the ass for me to examine the cert used by a site? Shouldn't it be in the menu that drops down when I click on the lock icon?
For that matter, why isn't it easy for me to tell Chrome that I do NOT trust a given cert no matter who signed it or that I don't trust a particular CA to sign off on water being wet?
Comment removed based on user account deletion
"And I think they also see the URL when you send it to the DNS server"
Aaaaand someone doesn't know how DNS works. The only thing sent to a DNS servers is the *Domain Name*. It's called the Domain Name System for a reason.
Comment removed based on user account deletion
I'm all for encrypting web traffic, but this push for HTTPS-everything is kind of terrifying. It puts us in this dystopian future where we rely on CAs to decide whether or not we can visit a website.
If a couple of CAs decide (or are told) to revoke my cert, there's literally nothing I can do about it. And all of a sudden my website is inaccessible to 90% of browsers, and there's nothing I can do about it.
I would happily support some kind of peer-to-peer encryption scheme (HTTPS with no CA, maybe). But centralizing everything through CA gatekeepers is just asking for a government to butt in.
---- I'll take you in a Hunt deathmatch any day.
Do any of those browsers implement DNSSEC DANE TLSA mode 3?
The first web browser that does will finally win this war of nonsense and bring real security to the landscape.
The number one reason, from my experience, is that of people see warnings a lot, especially for dumb things, they are quickly trained to ignore warnings. Microsoft learned this lesson with their first attempt at UAC. SELinux had a similar problem for a few years.
For best security, you should alert people to actual security problems, and only problems they can do something about. Reading Wikipedia over http is not a problem.
Also, Bobmorning makes a good point here:
https://tech.slashdot.org/comm...
The security systems that are supposed to rpotect you can't see all the malware being downloaded onto your system, the data being exfiltrated, etc when everything is TLS.
BTW you made a very good point in this other post, though I don't think most people have the background knowledge to fully appreciate your point.
https://tech.slashdot.org/comm...
> They had to divest themselves of the CA business because they prove themselves repeatedly to be not trustworth
Symnatec couldn't be trusted, therefore they couldn't have a CA business. That seems to indicate that untrustworthy companies can't be CAs (for long).
This isn't about security. It's about making sure that only registered publishers put material on the internet.
Your mundane page showing cat pics or whatever can be a serious threat if the script-kiddie on the next table can inject whatever javascript he wants into it before you receive it.
Yes, a source can be compromised too, but the ease of mitm http is just amazing. Also, any http security header (csp, hsts, hpkp, etc) or other mitigation techniques are futile if transport can't be trusted.
I suspect most people reading this haven't worked in a SOC, so they won't appreciate how much truth there is in what Bobmorning said.
> There is a delicate balance between having situational awareness of what is going on in the network versus
Exactly. We have systems that can see when a site is trying to do a drive-by malware installation or whatever, lots of ways to protect people in some pretty advanced ways. We can't protect what we can't read, though. So there is a balance. Encrypting everything makes it easier for the bad guys to send bad stuff to and from your machine without getting caught. So the ideal is neither "encrypt nothing" nor "encrypt everything as if it's a state secret". The best ways to protect against various attacks are situation dependent. For reading Wikipedia, unencrypted is probably safer overall. It's also faster - https can't be cached.
That is why I liked the Perspectives Project, where they had "notaries."
When faced with a certificate, you would ask the notaries for the cert they thought you should have, they would get the cert from the page, and send it to you. You would then compare the certs from several notaries to your cert, if enough of them matched, it would be considered good. You got to control what percent needed to match (100% was an option). The idea was, that either your cert was good, or the entire internet was pwned as far as that site was concerned, the idea was that if everyone had a bad cert for the internet, the site would eventually notice.
I would at least propose to restrict pages served over HTTP from any form of interactivity. No scripts, no plugins, no forms, no "responsive" CSS, limited media formats—no audio or video
Under your suggestion, with what certificate on what domain should the operator of a private video server on a home LAN run HTTPS? Public CAs don't sign certificates for RFC 1918 private IP addresses or for names within non-public TLDs (such as .local used by mDNS). Some users have suggested using dynamic DNS, but in order to qualify for a certificate from Let's Encrypt, a subdomain needs a TXT record, and the domain it's under needs a Public Suffix List entry. Many dynamic DNS providers don't support those.
It's about making sure that only registered publishers put material on the internet.
I don't see what practical problem that causes for publishers on the Internet, seeing as Let's Encrypt allows anybody who owns a domain name to register as a publisher without charge. Or are you anticipating tighter control of domain names in the first place?
W3C maintains a spec called Secure Contexts, which encourages web browsers to completely disable certain sensitive JavaScript features within HTML documents served over a cleartext HTTP connection. Only HTTPS and http://localhost/ are allowed to use Service Workers, Geolocation, Payment Request, Presentation, and several other web platform APIs.
Comcast has been caught injecting advertisements into HTML documents that Comcast customers view over cleartext HTTP. If BBC doesn't want Comcast performing cross-site scripting on BBC's site, BBC needs to use HTTPS.
google approved certificates complete with extortionate prices
Let's Encrypt offers TLS certificates to domain owners without charge. Its website lists the division of Google that maintains Chrome as a sponsor. So no, I don't see Chrome requiring "extortionate prices" for TLS certificates any time soon.
Do any of those browsers implement DNSSEC DANE TLSA mode 3?
Do any websites use DNSSEC DANE TLSA mode 3, with which to test experimental web browsers that do support it?
Many domain name owners use the zone hosting bundled by the registrar, and in a lot of cases, DNSSEC is either unavailable or an upsell at an additional recurring fee. Let me know when most major registrars' bundled zone hosting supports DNSSEC by default. Only at that point will DANE be ready for wide use.
Searxes is flagging MitM proxies.
It also warn you if you're browsing with Chrome.
Encrypted is not the same as "secure".
Encrypting the material in transit doesn't make any less freely disseminated or the information less free.
It prevents caching. Say a school in sub-Saharan Africa has only a 128 kbps, harshly metered connection for all its computers to use. With cleartext HTTP, if all the students visit the same encyclopedia page, a Polipo caching proxy inside the school can retrieve it once and serve it to 25 students in a classroom. But with HTTPS, the proxy can only handle the CONNECT verb to tunnel the connection to the origin server, causing transfer of 25 times as much data compared to the case with an intermediate cache.
Your concern may have some merit.
Just be aware of the trade-off. Remember the $100 million hack yesterday, where the same company got hit twice in eight months, from phishing attacks? Corp sec could have prevented those if they had visibility into what pages the employees were loading. They could have seen the employees entering their ldap credentials into corporateHR.ru and prevented it. Our SOC catches a LOT of that stuff.
Also catches and blocks a lot of malware, crypto-locker style ransomware, etc.
So you have to decide which is worse - crypto-locker and the bad guys having your ldap credentials, or your fear of the NSA seeing you reading Wikipedia. I don't think either answer is always right.
WIth the diffy hellman key exchange *they* could build a secure connection right into the 2 big webservers and the 3 big browsers.
It could all be transparent.
Me,as both user and webmaster do not need to install nothing. double negative!!
Diffie Helman!! Exchange those frikcin. keys!!
Where it all goes wrong is the
1) The Certificate Mafia wants outrageous fees
2) Wanted some central authority to 'ceritfy' a website (which is the camel in the tent for central licensing of all websites)
The end-to-end secure connection is conflated with a central "trusted" authority saying your site is legit.
Somebody put an end to google and mozilla and their freaking out about me browsing an 'unsecure' site full of google tracking code, and facebook tracking code.
The https weenies need a good slap upside the head. Stop this silliness.
The amounts sites that have a 'bad' certificate is already breaking the web.
Because we're now teaching the mantra of "encryption makes you secure", and people will swallow it. Unfortunately, it's not true. It is absolutely possible that you connect to hxtps://onlinebanking.bankofmurrica.com, log in and be surprised that suddenly your money is gone. Because encryption only means that traffic is secure between you and the target, and a certificate only says that the other side is who they claim to be.
What a certificate cannot ensure is that you're really connected to who you think you're connected to. So the next step, or even the step before, should be to teach people to read the fucking URL they communicate with instead of just going "oh browser says 'secure' so it's all right, let me just enter all my passwords".
But where's the money for Google in that?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Let's Encrypt is easy but not too easy. It benefits Google, Amazon, and others to make it harder for individuals to host their own services. Do all use cases require encryption? No, they do not.
But soc doesn't need to intercept ssl; they have root on all the devices they care about and can monitor traffic there. Nothing stops attackers from shipping their own libssl and certificates but that won't stop a local debugger.
EOM
This is sort of pedantic though.
They can still see you are requesting bigblackcocksxxx.com who cares if they can't see the /3-big-cocks-vs-midget they still already have the genesis of what you are doing.
https gives a lot of average internet users a huge false sense of security.
The broswser does TLS, so system access doesn't give you access to monitor it. Not using safe APIs. An attacker with root could dig into your RAM or whatever, but that's not a safe approach.
I canâ(TM)t remember too many who even care about this. Most users seem to ignore this security even when provided a visual reminder. I have agree that much of this seems over kill for some sites. Looks more like a money crap to have to buy a cirtificate for their site just to be approved by a web browser.
How do you go to the grocery store? Surely you don't believe that unless you personally milked the cow, you can't know that it's milk and of comparable trustworthiness to any white liquid you find in a random container, right? When people say that milk is inspected by the (fallible) FDA/USDA, do you scoff at their "argument from authority"? I mean, at some point in your life you must have had to accept that there are imperfect systems that nevertheless work reasonably well and that have means for self-correcting errors when they do happen. The vast majority of milk sold in the US is milk, and it's reasonable to trust the milk from a reputable grocery store even if you don't personally know who milked it.
I mean, there's plenty of legitimate criticism and improvements to be made about the state of CAs. It ain't perfect, but trust-nihilism isn't even close to a reasonable alternative.
A nudge is still contact.
A nudge is coercion.
Unwanted touching is assault.
A nudge is still physical. Violence.
Say you consider the CA nor the self-signed website owner equally trustworthy/untrustworthy. You're still much better off trusting a dozen CAs than a thousand website owners. Browser-trusted CAs allow you to risk your trust on as few entities as possible. You'll still get burned sometimes, but at least you'll be more likely to know who to blame.
This space intentionally left blank
With groceries etc you can sue and win. Part of the point of hacking is to make it damned near impossible to get a legal remedy
Taking over things, one nudge at a time.
I think you're providing a nice counter example there. Symantec's actions as untrustworthy resulted in them directly losing their business. Same with some of the other vendors we had.
Ultimately exposure to users was limited, certificate revocations were issued, and the guilty parties punished. This is very much a system working as intended in order to maintain trust.
That's not to say you should blindly trust them, but given they actually have something to lose and standards which they need to uphold along with an auditable chain of trust, they get a hell of a lot more trust than random parties.
The entire concept of certificate "authorities" is already fundamentally broken by design. (Kinda obvious, given the "argument from authority" fallacy.)
I can not trust an organization that happens to host a website, but I'm supposed to trust an organization that happens to be a CA? Because the browser maker said so? Whose trustworthiness is not established either, by the way.
Yes and here's why: Browser makers don't work in a vacuum. Differences in certificate trust are easily checked on installed instances so you can see if one browser is acting nefariously vs the others. Along with that there are many very open browsers out there who very publicly discuss CAs (see Mozilla).
By extension those various browsers have power over the CA and they have demonstrated repeatedly to execute that power in order to hold the CAs to a reasonable standard. See Symantec, WoSign, or even state run CAs like CNNIC as examples of this system working in practice.
The result is trust through fear of retaliation, or rather as it typically goes, trust through fear of your entire business being given the death sentence. CAs have a lot to lose by breaching the trust of users and their actions in doing so are very easily traced thanks to the very public nature of their work.
You may not trust any random organisation, but you certainly have plenty of reasons to place more trust in a CA to ensure your channel is encrypted and the target organisation is who they say they are. ... Assuming you're not on a corporate computer that is.
>I can not trust an organization that happens to host a website, but I'm supposed to trust an organization that happens to be a CA?
I think everyone agrees on CAs being broken, but the problem with HTTP is that we can't trust the *network*. We obviously trust the website's host (you don't buy things on Amazon if you don't trust Amazon), but we can't trust that what we're served actually comes from that host.
By the way, I wonder how people can still trust their antivirus products after they proved themselves generally incompetent at security.
They don't trust them, they just fear viruses and ransomware more, and it seems to me that they're not wrong.
They have an agenda. They no longer want to fix things, just duct tape them over. with progressively encumbering duct tape..
Someone on /. who knows what they're talking about. It still happens!
The blockchain has a great use case here. It should be trusted from a source that cannot be censored, not some backwater centralized SSL outfit.
I don't code in https, and the article doesn't explain how one codes in https.
It's not even about the prices. They will simply deny you a certificate if you are doing something they, or the powers that be, don't like.
The whole point of HTTP and HTML is that absolutely anyone can implement and run a server or a browser. Otherwise we could have gone with webpages a interlinked Word documents served by Exchange servers. This brings us much closer to sucky closed design. I can't implement https server as a shell script and maintaining keys requires time and money. And simply hosting a webpage requires coding on client and server rather than just dropping a text file somewhere. We can't control what corporations and sheeple who are their customers do, but it's time to resurrect open alternatives. Just like WWW itself was an alternative to Compuserve and AOL. With any luck, we can also bring back intelligent independent content as an alternative to Fox News and CNN.
I have some local machines that have NO connection to the rest of the world. They are HTTPS, but having am official cerificate is not really possible as far asI know, because they can not be verified like my others do that you canb reach from the outside.
It is a sfucking 192.168.x.y address. Stop saying it isn't safe, ya dolt.
Don't fight for your country, if your country does not fight for you.
If a CA inappropriately signs a leaf cert, they will be booted from the big browsers.
This is not conjectural, multiple CAs have been ejected.
Is it really Google's job to bully site-owners into taking action?
How about if Google then forks over the ever increasing cost of certificates/SSL for sites?
Many websites are hosted where only the host can install certificates. This significantly increases costs.
And then, HTTPS breaks and a new need for security arises!
Isn't unregulated life in a capitalistic world grand?!
Perhaps the take-away here is to buy SSL certificate company stocks before this faux bubble breaks!
Self-importance and self-indulgence is the root of ALL evil.
This should be the next slashdot poll. My answers are 1: I drive; 2: yes; 3: YES!;
Forcing a website that serves only public content and requires no user input it's absurd!
Why spend the resources of encryption (well put by @RichardStallin) in something that needs none as it's already public information.
The only point I see in Google doing this is that they're concerned about sharing the user navigation history with others since forcing https doesn't affect Google Analytics but may affect other services who get their stats based on packet inspection.